dnsop L. Pan
Internet-Draft
Intended status: Informational Y. Fu
Expires: January 18, 2018 CNNIC
July 17, 2017
ISP Location in DNS Queriesdraft-pan-dnsop-edns-isp-location-02
Abstract
Nowadays, many Authoritative Nameservers support GeoIP feature, they
guess the user's geolocation by the client subnet of EDNS Client
Subnet (ECS) or by the source IP address of DNS query, return tailor
DNS response based on the user's geolocation. However, ECS raises
some privacy concerns because it leaks client subnet information on
the resolution path to the Authoritative Nameserver.
This document is inspired by EDNS Client Subnet (ECS), describes an
improved solution for GeoIP-enabled Authoritative Nameservers,
defines an EDNS ISP Location (EIL) extension to address the privacy
problem of ECS, tries to find the right balance between privacy
improvement and user experience optimization.
EIL is defined to convey isp location < COUNTRY, AREA, ISP >
information that is relevant to the DNS message. It will directly
provide the same sufficient information for the GeoIP-enabled
Authoritative Nameserver as ECS, to decide the response without
guessing geolocation of the IP address.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 18, 2018.
Pan & Fu Expires January 18, 2018 [Page 1]

Internet-Draft ISP Location in DNS Queries July 2017
EIL is intended for those Local Forwarding Resolvers, Recursive
Resolvers and Authoritative Nameservers that would benefit from the
extension and not for general purpose deployment. It could be
applied for tailor DNS response like ECS scenario. EIL can safely be
ignored by servers that choose not to implement or enable it.
1.1. Path Calculation and Tailored DNS Response
Separate the consideration of path calculation (Data Provider) and
tailored DNS response (Authoritative Nameserver).
Data Providers make path calculations to optimize content delivery on
the Internet based on the network topology, considering many factors
such as IP, RIPs, FIBs, AS Path hops, system load, content
availability, path latency, etc. Note that, Data Providers have the
full details of the clients, they can make any complex path
calculations without ECS and EIL.
Authoritative Nameservers configure tailored DNS response based on
the result of path calculations, allocate IP addresses to different
datacenters. Usually, users from the same < COUNTRY, AREA, ISP > isp
location are allocated to the same datacenter, the same best "network
topologically close" datacenter. For example, client IP addresses
from < China, Beijing, Telecom > are allocated to DataCenter-1,
client IP addresses from < China, Beijing, Unicom > are allocated to
DataCenter-2, etc. Above is the GeoIP-based Tailored DNS Response.
Therefore, if the GeoIP-enabled Authoritative Nameservers support
ECS, they can use the client subnet information of ECS instead of
resolver's address for geolocation detecting. Alternative, the
GeoIP-enabled Authoritative Nameservers can directly use the <
COUNTRY, AREA, ISP > information of EIL without geolocation
detecting.
Again, we emphasize that tailored DNS response does not affect path
calculation. Data Providers can make path calculations based on
network topology, decide network topological close datacenter for
each IP address. Authoritative Nameservers allocate tailored DNS
response to each IP address based on the "network topological close"
result of path calculations. EIL tell Authoritative Nameserver like
that, "I want to know what is best IP address for clients from <
China, Beijing, Telecom > at network topology path calculations
result", but not "I want to know what is the nearest IP address for
clients from < China, Beijing, Telecom > at physical topology path
calculations result".
EIL is satisfied if Authoritative Nameservers aggregate the IP
addresses from the same < COUNTRY, AREA, ISP > isp location to visit
Pan & Fu Expires January 18, 2018 [Page 4]

Internet-Draft ISP Location in DNS Queries July 2017
the same datacenters, we call that GeoIP-based tailored DNS
responses, and these tailored responses have the best "network
topological close" distance to the users which are generated from
network topology path calculations result.
ECS is satisfied if Authoritative Nameservers make tailored DNS
response down to subnet precise level. For example, (subnet-1, ...,
subnet-100) are from the same < COUNTRY, AREA, ISP > isp location,
Data Provider applies (subnet-1, ..., subnet-50) visit DataCenter-1,
(subnet-51, ..., subnet-100) visit DataCenter-2.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119] when they appear in ALL CAPS. When these words are not in
ALL CAPS (such as "should" or "Should"), they have their usual
English meanings, and are not to be interpreted as [RFC2119]
keywords.
3. Terminology
Basic terms used in this specification are defined in the documents
[RFC1034], [RFC1035], [RFC7719] and [RFC7871].
EIL: EDNS ISP Location.
ECS: EDNS Client Subnet, described in [RFC7871].
Local Forwarding Resolver: Forwarding Resolver is described in
[RFC7871]. It is the first Forwarding Resolver which receives DNS
queries from Stub Resolver, usually deployed nearby the first-hop
router such as public Wi-Fi hotspot routers and home routers.
Recursive Resolver: described in [RFC7871]. It is the last-hop
before Authoritative Nameserver in the DNS query path.
Intermediate Nameserver: described in [RFC7871]. Any nameserver in
between the Stub Resolver and the Authoritative Nameserver, such as a
Recursive Resolver or a Forwarding Resolver.
Intermediate Forwarding Resolver: Any Forwarding Resolver in between
the Local Forwarding Resolver and Recursive Resolver.
Authoritative Nameserver: described in [RFC7719] and [RFC2182]. It
is a server that knows the content of a DNS zone from local
Pan & Fu Expires January 18, 2018 [Page 5]

Internet-Draft ISP Location in DNS Queries July 2017
knowledge, and thus can answer queries about that zone without
needing to query other servers.
4. Overview
EIL is an EDNS0 option to allow Local Forwarding Resolvers and
Recursive Resolvers, if they are willing, to forward details about
the isp location of client when talking to other nameservers. EIL
can be added in queries sent by Local Forwarding Resolvers or
Recursive Resolvers in a way that is transparent to Stub Resolvers
and end users.
Like ECS, Authoritative Nameservers could provide a better answer by
using precise isp location in EIL. Intermediate Nameservers could
send EIL query and cache the EIL response. This document also
provides a mechanism to signal Intermediate Nameservers that they do
not want EIL treatment for specific queries.
EIL is only defined for the Internet (IN) DNS class.
The format of EIL option is described in Section 5.
The security concerns for EIL are like ECS, such as cache growth,
spoof EDNS0 option and privacy, etc. Mitigation techniques are
discussed in Section 6.
5. The EIL EDNS0 option
The EIL is an EDNS0 option to include the isp location of client in
DNS messages.
It is 14 octets which is structured as follows:
Pan & Fu Expires January 18, 2018 [Page 6]

Internet-Draft ISP Location in DNS Queries July 2017
+0 (MSB) +1 (LSB)
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0: | OPTION-CODE |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
2: | OPTION-LENGTH |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
4: | COUNTRY-CODE |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
6: | AREA-CODE |
| |
| |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
12: | ISP |
| |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
Total: 14 octets.
o OPTION-CODE, 2 octets, defined in [RFC6891]. EDNS option code
should be assigned by the IANA.
o OPTION-LENGTH, 2 octets, defined in [RFC6891], contains the length
of the payload (everything after OPTION-LENGTH) in octets.
o COUNTRY-CODE, 2 octets, uppercase, defined in [ISO3166], indicates
the country information of the client's IP. For example, China's
COUNTRY-CODE is CN.
o AREA-CODE, 6 octets, uppercase, defined in [ISO3166] country
subdivision code, indicates the area information of the client's
IP. For example, The AREA-CODE of Fujian Province in China is 35.
o ISP, 4 octets, uppercase, indicates the ISP information of the
client's IP, using shortcut names. ISP shortcut names are unique
within the context of the COUNTRY-CODE. For example, the shortcut
name of China Telecommunications Corporation is TEL, the shortcut
name of China United Network Communications is UNI, the shortcut
name of China Mobile is MOB, etc.
All fields are in network byte order ("big-endian", per [RFC1700],
Data Notation).
The aim to use short names in the fields is to limit the data size of
EIL, decrease the DDoS risk.
The null value 0x20 signifies that the field is unknown. If all
fields in EIL are set to null value, it means that client doesn't
want to use EIL.
Pan & Fu Expires January 18, 2018 [Page 7]

Internet-Draft ISP Location in DNS Queries July 2017
Authoritative Nameservers can send EIL response with the * value 0x2A
in AREA-CODE field or ISP field (not COUNTRY-CODE field), which
signifies that the field is wildcard match. For example, < CN, *,
TEL > indicates "all area in China, Telecom ISP".
Example code is in Github at: https://github.com/abbypan/dns_test_eil
.
6. Protocol Description6.1. Originating the Option
The EIL can be initialized by Public Recursive Resolver, ISP
Recursive Resolver, or Local Forwarding Resolver.
Examples are given in Appendix B.
6.1.1. P-Model: Public Recursive Resolver
Public Recursive Resolvers are not close to many users because the
service providers couldn't deploy servers in every country and every
ISP's network, which will affect the response accuracy of
Authoritative Nameservers. To encounter this problem, ECS shifts the
client subnet information to Authoritative Nameserver, but rises user
privacy concerns.
Therefore, to keep balance between precise and privacy, when a Public
Recursive Resolver receives a DNS query, it can guess isp location of
client's IP and generate the EIL OPT data, then send EIL query to the
Authoritative Nameserver. This will move the "guess location of
client's IP" work from Authoritative Nameserver back to Public
Recursive Resolver, lighten the burden of Authoritative Nameserver,
but increase DDoS risk on Public Recursive Resolver.
In order to improve the user's privacy, if a Recursive Resolver
receives a DNS query with ECS, it can guess the isp location of
SOURCE-PREFIX from the ECS OPT data, and make a new DNS query with
EIL, then send the query to Authoritative Nameserver which supports
EIL.
P-model is the most recommended and close to the ECS.
6.1.2. I-Model: ISP Recursive Resolver
ISP Recursive Resolver only serves its customers, each of whom has a
static isp location. ISP Recursive Resolver can add EIL transparent
to end user, and then Authoritative Nameserver doesn't need to "guess
location of client's IP".
Pan & Fu Expires January 18, 2018 [Page 8]

Internet-Draft ISP Location in DNS Queries July 2017
EIL will be benefit if the Authoritative Nameserver could not find
the approximate isp location of ISP Recursive Resolver, which is
crucial to DNS response accuracy in ECS.
6.1.3. L-Model: Local Forwarding Resolver
Local Forwarding Resolver is usually on the first-hop router, such as
public Wi-Fi hotspot routers and Cisco/Linksys/Netgear/TP-LINK home
routers.
When a Local Forwarding Resolver that implements EIL receives a DNS
query from an end user, it surely can know about the isp location of
client's IP, and generate the EIL OPT data, then send the EIL query
to the intermediate Recursive Resolver. Intermediate Recursive
Resolver sends the EIL query to the Authoritative Nameserver.
In this scenario, both Public Recursive Resolver and Authoritative
Nameserver don't need to "guess location of client's IP", because the
Local Forwarding Resolver supplies the isp location precisely. That
is, EIL can reduce dependence on the IP geolocation database quality,
which is crucial to DNS response accuracy in ECS.
If a Local Forwarding Resolver had sent a query with EIL, and
receives a REFUSE response, it MUST regenerate a query with no EIL.
6.2. Generating a Response6.2.1. Whitelist
EIL contains a whitelist for COUNTRY-CODE, AREA-CODE and ISP, which
can be discussed and maintained by the DNSOP working group.
Authoritative Nameservers that supporting EIL must only response the
EIL queries matched the whitelist. Recursive Resolver that
supporting EIL must only cache the EIL responses matched the
whitelist.
6.2.2. Authoritative Nameserver
Using the isp location specified in the EIL option of DNS query, an
Authoritative Nameserver can generate a tailored response.
Authoritative Nameservers that have not implemented or enabled
support for the EIL ought to safely ignore it within incoming
queries, response the query as a normal case without EDNS0 option.
Such a server MUST NOT include an EIL option within replies to
indicate lack of support for it.
Pan & Fu Expires January 18, 2018 [Page 9]

Internet-Draft ISP Location in DNS Queries July 2017
An Authoritative Nameserver that has implemented this protocol and
receives an EIL option MUST include an EIL option in its response to
indicate that it SHOULD be cached accordingly.
An Authoritative Nameserver will return a more appropriate tailored
response for the query with an EIL option containing more precisely
AREA-CODE.
6.2.3. Intermediate Nameserver
Like ECS, Intermediate Nameserver passes a DNS response with an EIL
option to its client when the client indicates support EIL.
If an Intermediate Nameserver receives a response that has a larger
area than the AREA-CODE provided in its query, it SHOULD still
provide the result as the answer to the triggering client request
even if the client is in a smaller area.
6.3. Handling EIL Responses and Caching
If an Intermediate Nameserver had sent a query with EIL, and receives
a NOERROR response without EIL option, it SHOULD treat this answer as
suitable for all clients.
Other handling considerations are similar with ECS [RFC7871], SECTION7.3.
6.3.1. Caching the Response
In the cache, all resource records in the Answer section MUST be tied
to the isp location specified in the response. The Answer section is
valid for all areas which the EIL option covered. For example, an
EIL option < CN, 35, TEL > covers all 9 Cities in Fujian Province of
China Telecommunications ISP.
Same with ECS, The Additional and Authority sections are excluded.
Enabling support for EIL in an Intermediate Nameserver will increase
the size of the cache, and prevent "client subnet leak" privacy
concern of ECS.
6.3.2. Answering from Cache
Cache lookups are first done as usual for a DNS query, using the
query tuple of < name, type, class >. Then, the appropriate RRset
MUST be chosen based on the isp location matching.
Pan & Fu Expires January 18, 2018 [Page 10]

Internet-Draft ISP Location in DNS Queries July 2017
If there was an EIL option, the Intermediate Nameserver will lookup
for < same COUNTRY-CODE, same ISP, same AREA-CODE > of the same query
tuple in the cache. Otherwise, try to find < same COUNTRY-CODE, same
ISP, same AREA-CODE > of the same query tuple in the cache.
If no EIL option was provided, the safest choice of the Intermediate
Nameserver is dealing the query as a normal case without EDNS0
option.
If no EIL option was provided, but the Intermediate Nameserver want
to be more aggressive, it can guess the isp location from the source
IP of the query, then respond as if there was an EIL option with the
guessed information. Users can be benefit when the Intermediate
Nameserver has a more precise IP location database than the
Authoritative Nameserver, especially in global public DNS service
like GoogleDNS(8.8.8.8).
If no matching is found, the Intermediate Nameserver MUST perform
resolution as usual.
6.3.3. Support ECS and EIL at the same time
Name servers can support ECS and EIL at the same time. ECS and EIL
can't be both initiated at the same DNS packet. It is better for
user privacy if name servers initiate the EIL query prior to the ECS
query.
If Authoritative Nameservers support both ECS and EIL, Recursive
resolvers can cache both ECS response and EIL response, there are
some choices for Recursive Resolvers when they receive DNS queries.
Pan & Fu Expires January 18, 2018 [Page 11]

Internet-Draft ISP Location in DNS Queries July 20176.6. Response Accuracy
GeoIP-enabled Authoritative Nameservers that support ECS can support
EIL smoothly.
Compared to ECS, EIL can reduce dependence on the IP geolocation
database quality. EIL will rise the response accuracy of
Authoritative Nameserver if its database can not find approximate isp
location of ECS client subnet, ensure user latency. EIL will help
Authoritative Nameservers to avoid cross-isp visit if its database
can not find approximate isp location of ECS client subnet, save IP
transit cost.
7. Security Considerations7.1. DNSSEC
EIL is not signed.
7.2. Privacy
As mentioned in [RFC7871]'s abstract section, since ECS has some
known operational and privacy shortcomings, a revision will be worked
through the IETF for improvement. The biggest privacy concern on ECS
is that client subnet information is personally identifiable. The
more domains publish their zones on a third-party Authoritative
Nameserver, the more end user privacy information can be gathered by
the Authoritative Nameserver according to the ECS queries.
EIL is to improve user privacy which is inspired by ECS, prevented
leaks in the client subnet information.
Like ECS, EIL will leak the global zonefile configurations of the
Authoritative Nameservers more easily than normal case.
7.3. Target Censorship
DNS traffic is plain text by default. It is easily to be blocked or
poisoned by internet target censorship. To bypass the censorship, it
is better to encrypt the DNS traffic or use some proxy tunnel.
EIL's isp location information covers bigger area than ECS's client
subnet information. Therefore, compared to ECS in plain text
condition, EIL is weaker at blocking record attack, but stronger at
targeted DNS poisoning attack.
Pan & Fu Expires January 18, 2018 [Page 13]

Internet-Draft ISP Location in DNS Queries July 20177.4. Cache Size
Like ECS, cache size will raise if a Public Recursive Resolver
supports EIL. The cache size of ECS grows up with the number of
client subnets. The cache size of EIL is related to the row count in
the < COUNTRY-CODE, AREA-CODE, ISP > isp location whitelist.
Therefore, under IPv6 environment, the cache size of EIL will be
smaller than ECS.
7.5. DDoS
To migrate the DDoS problem:
o If an Authority Server receives a DNS query with unknown data in
EIL option, it SHOULD return the default response whose EIL option
with null value.
o Nameservers OPTIONAL only implement EIL when the query is from a
TCP connection.
More migration techniques described in [RFC7871], Section 11.3.
8. IANA Considerations
This document defines EIL, need request IANA to assign a new EDNS0
option code to EIL.
9. Acknowledgements
EIL is inspired by ECS, the authors especially thanks to C.
Contavalli, W. van der Gaast, D. Lawrence, and W. Kumari.
Thanks comments for Barry Raveendran Greene, Paul Vixie, Petr
&#352;pa&#269;ek, Brian Hartvigsen, Ask Bjoern Hansen.
Thanks a lot to all in the DNSOP, DNSPRIV and DNSEXT mailing list.
10. Appendix A. GeoIP-enabled Nameservers Example
10.1. BIND-GeoIP
As described in BIND-GeoIP [BIND-GeoIP], BIND 9.10 is able to use
data from MaxMind GeoIP databases to achieve restrictions based on
the (presumed) geographic location of that address. The ACL itself
is still address-based, but the GeoIP-based specification mechanisms
can easily populate an ACL with addresses in a certain geographic
location.
Pan & Fu Expires January 18, 2018 [Page 14]

Internet-Draft ISP Location in DNS Queries July 201710.3. Amazon-Geolocation-Routing
As described in Amazon-Geolocation-Routing
[Amazon-Geolocation-Routing], Amazon Route 53 lets you choose the
resources that serve your traffic based on the geographic location of
your users, meaning the location that DNS queries originate from. It
allows you to route some queries for a continent to one resource and
to route queries for selected countries on that continent to a
different resource.
When a browser or other viewer uses a DNS resolver that does support
edns-client-subnet, the DNS resolver sends Amazon Route 53 a
truncated version of the user's IP address. Amazon Route 53
determines the location of the user based on the truncated IP address
rather than the source IP address of the DNS resolver; this typically
provides a more accurate estimate of the user's location. Amazon
Route 53 then responds to geolocation queries with the DNS record for
the user's location.
10.4. DYN-Traffic-Director-ECS
As described in DYN-Traffic-Director-Geographic-Groups and DYN-
Traffic-Director-ECS [DYN-Traffic-Director-ECS], Dyn provides the
ability to control DNS responses on a granular/customized
geographical rule set. Part of the rulesets will be the
identification of the global regions, countries, or states and
provinces that use a specific DNS server group. DYN uses the ECS
information for the geolocation lookup. Once a geolocation is found
and a response is selected, it will provide a DNS response back to
the source IP address.
10.5. gdnsd-GeoIP
As described in gdnsd-GeoIP [gdnsd-GeoIP], gdnsd uses MaxMind's GeoIP
binary databases to map address and CNAME results based on geography
and monitored service availability. gdnsd supports geolocation codes,
such as continent, country, region/subdivision, city.
11. Appendix B. EIL Example
Authoritative Nameserver of www.example.com has enabled EIL.
Stub DNS query A resource record of www.example.com .
Pan & Fu Expires January 18, 2018 [Page 16]